External security module for a television signal decoder

ABSTRACT

A decoder for descrambling encoded satellite transmissions comprises an internal security element and a replaceable security module. The program signal is scrambled with a key and then the key itself is twice-encrypted and multiplexed with the scrambled program signal. The key is first encrypted with a first secret serial number (SSN 1 ) which is assigned to a given replaceable security module. The key is then encrypted with a second secret serial number (SSN 0 ) which is assigned to a given decoder. The decoder performs a first key decryption using the second secret serial number (SSN 0 ) stored within the decoder. The partially decrypted key is then further decrypted by the replaceable security module using the first secret serial number (SSN 1 ) stored within the replaceable security module. The decoder then descrambles the program using the twice-decrypted key. The replaceable security module can be replaced, allowing the security system to be upgraded or changed following a system breach.

BACKGROUND OF THE INVENTION

1. Field of the Invention

The present invention relates generally to the field of scramblingsystems and more specifically, to an external security module for atelevision signal decoder of a broadcast, satellite, or cable televisiontransmission system. The present invention has particular applicationfor B-type Multiplexed Analog Component (B-MAC) satellite transmission,but may also be used for NTSC (National Television Standards Committee),PAL, SECAM, or proposed high definition television formats. In addition,the scrambling system of the present invention can be used inapplications in related fields such as electronic banking networks,telephone switching systems, cellular telephone networks, computernetworks, etc. The system has particular application to so-called“conditional-access” multichannel television systems, where the viewermay have access to several “basic” channels, one or more “premium” orextra-cost channels as well as “pay-per-view” programs.

2. Description of the Relevant Art

In a pay television system, a pay television service provider typicallyprotects the signal from unauthorized subscribers and pirates throughscrambling.

For the purposes of the following discussion and this invention, theterm “subscriber” means one who is paying for the television service.The “subscriber” could thus be an individual consumer with a decoder inhis own home, or could be a system operator such as a local cable TVoperator, or a small network operator such as a Hotel/Motel operatorwith a central decoder for all televisions in the Hotel or Motel. Inaddition, the “subscriber” could be an industrial user, as described inU.S. Pat. No. 4,866,770 assigned to the same assignee as the presentapplication and incorporated herein by reference.

For the purposes of this invention, a network is defined as a programsource, (such as a pay television provider), an encoder, (sometimescalled a “head end”), a transmission means (satellite, cable, radiowave, etc.) and a series of decoders used by the subscribers asdescribed above. A system is defined as a program source, an encoder, atransmission means, and a single receiving decoder. The system model isused to describe how an individual decoder in a network interacts withthe encoder.

The scrambling process is accomplished via a key which may itself beencrypted. Each subscriber wishing to receive the signal is providedwith a decoder having an identification number which is unique to thedecoder. The decoder may be individually authorized with a key todescramble the scrambled signal, provided appropriate payments are madefor service. Authorization is accomplished by distributing descramblingalgorithms which work in combination with the key (and otherinformation) to paying subscribers, and by denying that information tonon-subscribers and to all would-be pirates.

The key may be transmitted as a data signal embedded in the normaltelevision transmission associated with the identification number of thedecoder. In a typical television signal, there are so-called “verticalblanking intervals” (VBI) occurring in each field and “horizontalblanking intervals” (HBI) occurring in each line between the chrominanceand luminance signals. Various other signals can be sent “in-band” inthe vertical and horizontal blanking intervals including additionalaudio channels, data, and teletext messages. The key can be embedded inthese “blanking intervals” as is well known in the art. Attention isdrawn to U.S. Pat. No. 4,829,569 assigned to the same assignee as thepresent application and incorporated herein by reference, showing howsuch data can be embedded in a B-MAC signal. Alternatively, the key maybe sent “out-of-band” over a separate data channel or even over atelephone line.

Maintaining security in a conditional-access television network dependson the following requirements:

(i) The signal scrambling techniques must be sufficiently complex toinsure that direct encryptographic attack is not practical.

(ii) keys distributed to an authorized decoder cannot be read out andtransferred to other decoders.

The first condition can be satisfied by practical scrambling algorithmsnow available such as the DES (Data Encryption Standard) or relatedalgorithmns.

The second condition requires the physical security of certain deviceswithin the television signal decoder and is much more difficult tosatisfy. Such a device must prevent observation of both the keydecryption process and the partially decrypted key signals.

FIG. 1 shows a prior art conditional-access system for satellitetransmission. In encoder 101, the source program information 102 whichcomprises video signals, audio signals, and data is scrambled in programscrambler 103 using a key from key memory 104. The scrambling techniquesused may be any such techniques which are well known in the art. The keycan be a signal or code number used in the scrambling process which isalso required to “unlock” or descramble the program in programdescrambler 108 in decoder 106. In practice, one key can be used (singlelayer encryption) or more than one key (not shown). The key is usuallychanged with time (i.e. - monthly) to discourage piracy. The scrambledprograms and the key are transmitted through satellite link 105, andreceived by conditional-access decoder 106. Decoder 106 recovers the keyfrom the received signal, stores it in key memory 107 and applies it toprogram descrambler 108 which descrambles the scrambled program receivedover satellite link 105, and outputs unscrambled program 109. The systemis not totally secure, as the key is transmitted in the clear throughthe channel and is available for recovery by pirates.

To overcome this difficulty and referring to prior art FIG. 2, a methodof protecting the key during distribution is introduced into the systemof FIG. 1. Prior to transmission, the key used to scramble sourceprogram 202 in program scrambler 203 is recovered from key memory 204and itself encrypted in key encryptor 210 using a secret serial number(SSN) from secret serial number database 211 which contains a list ofthe secret serial numbers of all legitimate subscribers. These secretserial numbers may relate to the unique identification numbers mentionedabove for each decoder of a network of such decoders. The source programhas now been scrambled using the key, and the key itself has beenencrypted using a secret serial number. Thus, the key is not subject tocompromise or recovery during transmission in comparison with the systemof FIG. 1. In order to scramble descramble the program, the pirate mustfirst obtain the secret serial number of a legitimate decoder, match itwith the appropriately encrypted key, decrypt the key, and thendescramble the program. The secret serial number is installed in decoder206, for example, during manufacture in SSN memory 212 resident indecoder 206. The secret serial number is therefore unavailable topirates provided that decoder 206 remains physically secure.

Each secret serial number is unique to an individual decoder or, atleast, unique to a group of decoders in order to be reasonably secure.The encrypted key may therefore be transmitted to each decoderindividually by cycling through a database 211, containing all thesecret serial numbers of the network in encoder 201 and forming aseparate key distribution message in an addressed data packetindividually addressed to each authorized decoder in the network. Anindividual decoder recognizes when its encrypted key has been receivedby reading the key distribution message attached to the encrypted key.

In known B-MAC systems, the key is distributed in an addressed datapacket individually addressed to a particular subscriber's decoder bymeans of its unique identification number. The addressed data packet istypically inserted in lines 4 through 8 of the vertical blankinginterval. Each addressed data packet is typically addressed to oneindividual decoder. As there are sixty fields generated per second (30frames of 2 interlaced fields each) in a B-MAC or NTSC televisionsignal, at the rate of one addressed data packet per field, a possiblesixty different decoders (or groups of decoders) can be addressed eachsecond, or 3600 per minute, 215,000 per hour, and over 5 million perday. Since each decoder need only be addressed when the service level orencryption level changes, there are sufficient frames available toindividually address each decoder even in large systems. The addressrate of the decoders may be increased by transmitting more than oneaddressed data packet per field. Additional data packets may be insertedin the vertical blanking interval or in the horizontal blankingintervals of each frame. The total number of possible addressabledecoders is a function of the number on data bits available for decoderaddresses. The B-MAC format typically uses 28 bits for decoderaddresses, allowing for over 268 million possible decoder addresses.Attention is drawn to the United States Advanced Television SystemsCommittee Report T2/62, “MULTIPLEXED ANALOG COMPONENT TELEVISIONBROADCAST SYSTEM PARAMETER SPECIFICATIONS”, incorporated herein byreference, which describes the data format in a B-MAC signal.

After receiving the addressed data packet, key decryptor 213 thendecrypts the key using the secret serial number stored in SSN memory212. If service to any decoder 206 in the network is to be terminated,the secret serial number for that decoder is simply deleted from SSNdatabase 211, and decoder 206 is deauthorized at the beginning of thenext key period.

In a decoder such as the one shown in FIG. 2, the pay televisionprovider has to rely on the physical security of the decoder box itselfto prevent a pirate from reading or modifying the secret serial numberand key memories in the decoder or observing the key decryption process.In order to provide the necessary physical security, decoder boxes canbe equipped with tamper-proof seals, specially headed screws andfasteners, or other tamper resistant packaging to make physicalcompromise of the decoder difficult. The subscriber is aware thattampering with the decoder could alter the tamper-proof seals or damagethe decoder and subsequent examination could lead to discovery.

There are several disadvantages of relying on the physical security ofthe decoder to maintain system security. First, the pay televisionprovider has to maintain ownership and control over all of the decodersof the network and then rent or lease the decoders to subscribers. Thepay television provider is thus responsible for maintenance of alldecoders and must maintain an expensive parts inventory and maintenancestaff. In addition, in order to initiate service, a serviceperson mustmake a personal visit to the subscriber's location to install thedecoder. In a pay television satellite system, such installation andservice calls could be quite costly for remote installations which couldbe located anywhere in the world. Further, the physical security of adecoder could be breached without fear of discovery if a pirate couldobtain a decoder that had been stolen either during the distributionprocess or from an individual subscriber's home.

Hence, the system of FIG. 2 can be secure only under the followingconditions:

(i) It must be impossible to read or modify the SSN and key memories inthe decoder.

(ii) It must be impossible to observe the key decryption process, or thelinks between the four elements (207, 208, 212, and 213) of the decoder.

One way to achieve both of these goals is by the use of a so-called“secure microprocessor”.

FIG. 3 shows a block diagram of a typical prior art microprocessor 320with processor 321, program memory 322, memory address bus 328, memorydata 326 and memory data bus 327. In such a device, input data 323 isprocessed according to a program stored in program memory 322, producingoutput data 324. Program memory 322 can be “read out” through memorydata bus 327. That is, the memory can be stepped through by sequentiallyincrementing memory address 325 through memory address bus 328 intoprogram memory 322. Output memory data 326 from memory data bus 327 willreveal the entire program contents of microprocessor 320, including anystored descrambling algorithm and secret serial number. With such data,a pirate can easily decrypt a key transmitted through satellite link 205of FIG. 2.

FIG. 4 shows a block diagram of an ideal secure microprocessor 420adapted for securing an algorithm and secret serial number according toone aspect of the present invention. The major difference between securemicroprocessor 420 of FIG. 4 and microprocessor 320 of FIG. 3 is thatboth memory address bus 328 and memory data bus 327 are absent, so thereis no way to step through program memory 422 for the purpose of readingor writing. Memory references are executed only by processor 421according to its mask-programmed code which cannot be changed. All inputdata 423 is treated as data for processing, and all output data 424 isthe result of processing input data 423. There is no mechanism forreading or modifying the content of program memory 422 via the datainputs.

Modern devices are close approximation to this ideal securemicroprocessor. There is, however, one requirement which causes avariation from the ideal. Following manufacture, there must be amechanism available to write into memory 422 the decoder specific secretserial number 430, as well as decryption algorithm 434. If this facilitywere available to a pirate, he could modify the secret serial number forthe purpose of cloning. Therefore, this facility must be permanentlydisabled after the secret serial number has been entered.

A variety of techniques may be used to disable the facility for writinginto the memory. Secure microprocessor 420 could be provided withon-chip fusible data links 431, a software lock, or similar means forenabling the secret serial number 430 and descrambling algorithm 434 tobe loaded into memory 422 at manufacture. Then, for example, the fusiblelinks shown in dashed lines are destroyed so that a pirate has no accessto descrambling algorithm 434 or secret serial number 430 stored inprogram memory 422.

In an alternative embodiment, the microprocessor of FIG. 4 can besecured with an “E² bit,” The “E² bit”, a form of software lock, willcause the entire memory (typically EEPROM) to be erased if an attempt ismade to read out the contents of the memory. The “E² bit” provides twoadvantages; first, the memory is secured from would-be pirates, andsecond, the memory erasure will indicate that tampering has occurred.

A pirate would have to have access to extensive micro-chip facilitiesand a significant budget to compromise such a secure microprocessor. Thephysical security of the processor would have to be breached, destroyingthe processor and contents. However, integrated circuit technologycontinuously improves, and unexpected developments could occur whichmight enable attacks to be made at the microscopic level which are moreeconomic than those available today. Further, the worldwide market forpirate decoders for satellite transmissions would provide the economicincentive to the increasingly sophisticated pirate electronics industryto compromise such a unit.

Copying a single decoder comprising a microprocessor according to FIG. 4could lead to decoder clones based on the single secret serial number inthat single decoder. Discovery would result in the termination of thatsecret serial number, and thus termination of all of the clones.However, a pirate would also have the option of using the singlecompromised unit to recover the key. The pirate could then develop adecoder design which would accept the key as a direct input. Thesepirate units could then be illegally distributed to subscribers, whowould pay the pirate for a monthly update of the key. The consequence ofa security breach could become extremely damaging to the pay televisionprovider.

Pay television providers are therefore at risk if security dependsexclusively on the physical defenses of the secure microprocessor. FIG.5 shows a device which attempts to overcome the disadvantages of thedevices of FIGS. 1 and 2 by providing a security device in a replaceablesecurity module 514. Replaceable security module 514 comprises keydecryptor 513, secret serial number memory 512 and key memory 507. As inFIG. 2, encoder 501 scrambles source program 502 comprising videosignals, audio signals and data in program scrambler 503 using a keyfrom key memory 504. The key is encrypted in key encryptor 510 using asecret serial number (SSN) from secret serial number database 511 whichcontains a list of the secret serial numbers of all legitimatesubscribers.

The same SSN is installed in secret serial number memory 512 inreplaceable security module 514 which is removably attachable to decoder506. Key decryptor 513 of replaceable security module 514 decrypts thekey using the secret serial number stored in secret serial number memory512. The decrypted key is then stored in key memory 507. Unlike FIG. 2,the entire replaceable security module is removably attached to decoder506. Program descrambler 508 reads the decrypted key from key memory 507in replaceable security module 514 and uses the key to descramble andoutput descrambled program 509. Removable security module 514 isdesigned to be replaced by the subscriber, preferably without anyspecial tools and, thus, most conventionally may comprise a plug-inmodule.

The use of a plug-in module gives the pay television provider theability to upgrade the technology in the security device by swapping itout at very low cost. In the event of a security breach, a newreplaceable security module containing the program scrambling algorithmand SSN could be mailed out to authorized subscribers. The authorizedsubscribers could then remove the old replaceable security module fromtheir decoder and insert the new replaceable security module themselves.System security is thus recovered without the expense of replacing theentire decoder or the expense of sending a service person to replace thereplaceable security modules in each decoder. In addition, it is notnecessary for the pay television provider to own the decoder itself. Thedecoder can be a generic commercially available unit purchased by thesubscriber, or even integrated into the television itself. To initiateservice, the pay television provider need only mail the replaceablesecurity module to the subscriber and no service call is necessary.

Although the replaceable security module has the advantages of providinga guarantee that network security is recoverable following a breach, italso has some disadvantages. All the security resides in replaceablesecurity module 514, and decoder 506 itself is a generic unit. The keysignal which is generated by replaceable security module 514 isobservable at its transfer point to decoder 506. The key can, however,be changed sufficiently often to ensure that it has no value to apotential pirate.

The problem with this approach is that a given removable security module514 will operate with any decoder 506, and that tampering withreplaceable security module 514 does not involve damage to decoder 506.Consequently, if replaceable security module 514 were to be compromised,piracy would become widespread very rapidly.

Although the devices as described above show a single key to scramblethe program signal (so-called “single layer encryption”) any of theprior art devices could also be practiced using a multiple key (“twolayer”, “three layer”, etc.) scrambling system. FIG. 6 shows an exampleof a prior art two layer encryption encoder 601. Encoder 601 containssecret serial number database 611 which contains a list of secret serialnumbers for all authorized subscribers. Key memory 604 stores the “Keyof the Month” (KOM) which in this embodiment can be either an “even” keyfor even months (February, April, June, etc.) or an “odd” key for oddmonths (January, March, May, etc.). The key could also be different foreach month of the year, or could be made even more unique, depending onthe available data bits for such a key. In addition, the key could bechanged more frequently or less frequently than the monthly basis shownhere.

Key encryptor 610 encrypts the key selected from key memory 604 andoutputs a series of encrypted keys E_(SSN)[KOM] each encrypted with asecret serial number from secret serial number database 611, to datamultiplexor 635. Seed memory 636 contains a “seed” which is used forscrambling the audio and video signals. The “seed” can also be a datacode or a signal similar to the key described above. Seed encryptor 637encrypts the seed with the key of the month and outputs the encryptedseed E_(KOM)[SEED] to data multiplexor 635. Thus the key has beenencrypted with the secret serial number, and the seed encrypted with thekey. Neither the key nor the seed can be easily recovered duringtransmission.

In this embodiment, source program 602 comprises a Multiplexed AnalogVideo (MAC) signal 639 with the typical chrominance and luminancesignals described previously, along with multiplexed audio data 638which may comprise several different audio and non-audio (data) signals.For example, there may be at least two channels of audio (stereo) andadditional channels of teletext for the hearing impaired. In addition,there may be additional channels of audio related to the video signalsuch as foreign language translations, unrelated audio signals such asradio programs or data signals such as subscriber messages, computerdata, etc. All of these signals are digitized and multiplexed together,as is well known in the art, and the resulting multiplexed audio data638 is then ready to be scrambled.

The seed passes through pseudo-random bit sequencer (PRBS) 643 and thenis added to multiplexed audio data 638 in adder 644. Together,pseudo-random bit sequencer (PRBS) 643 and adder 644 comprise abit-by-bit encryptor 645 as is well known in the art. The resultingscrambled multiplexed audio data is then passed to data multiplexor 635and is multiplexed with the encrypted seed and key.

MAC video signal 639 is scrambled in line translation scrambler 603which scrambles the lines of the MAC signal using the “seed” from seedmemory 636 for the scrambling algorithm. The resulting scrambled MACsignal is then sent to multiplexor 632 which multiplexes the scrambledMAC signal with the output from data multiplexor 635. The multiplexeddata output of data multiplexer 635 is modulated into pulse amplitudemodulation (PAM) format by P.A.M. modulator 645. The output B-MAC signal646 contains MAC video signal 639 and multiplexed PAM audio data 638,both scrambled with the seed, along with the seed encrypted with the keyof the month, and a series of keys of the month which have beenencrypted with the secret serial numbers of the subscriber's decoders,all multiplexed together.

In order to descramble the B-MAC signal 646, a pirate must be able todecrypt one of the encrypted keys, and use that key to decrypt the seed.However, as in the single layer encryption device described in FIG. 2,the pirate only needs to comprise compromise one of the transmissionmeans coupled to said signal scrambling means and said second keyencryptor means for transmitting said scrambled signal and saidtwice-encrypted key, decoders in order to obtain a secret serial number,and thus decrypt the key. With the key, a pirate can then decrypt theseed, and with the seed, descramble the program signal. Additional“layers” of encryption (i.e. more seeds and keys) make pirating morecumbersome, as the pirate must decrypt more seeds and keys, however,once the first key has been decrypted, the subsequent keys and seeds canbe decrypted as well. In the embodiment shown in FIG. 6, keys need bedecrypted every other month (even months and odd months) for the pirateto be able to descramble the program signal all year. The secret serialnumbers, seed, and key, as used in FIG. 6, can be used effectively bythe pay television provider to terminate a particular decoder by secretserial number and generally discourage piracy by amateurs. However,while this system has not yet been compromised, a determined pirate maycompromise such a multi-layered encryption system with the aid of acompromised decoder, the heart of such piracy being the gaining ofaccess to a secret serial number.

In view of the deficiencies of the above prior art devices, it stillremains a requirement in the art to provide a scrambling system for paytelevision systems which does not rely solely on the physical securityof the decoder components to maintain system integrity.

SUMMARY OF THE INVENTION

Therefore, it is an object of the present invention to provide a systemof double-encrypting the key using two different secret serial numbersrespectively assigned to a subscriber's decoder and removable securitymodule.

It is a further object of the present invention to provide a replaceablesecurity module for a television signal decoder where the replaceablesecurity module will work with only one decoder and cannot be used withanother decoder.

It is a further object of the present invention to provide a decoderwith a data interface for a removable security module.

Many of the above-stated problems and related problems of the prior artencryption devices have been solved by the principles of the presentinvention which twice-encrypts the key prior to transmission, first witha first secret serial number (SSN₁) (SSN₀ ) of the subscriber'sreplaceable security module decoder, and again with a second secretserial number (SSN₀) (SSN₁ ) of the subscriber's decoder replaceablesecurity module. The double-encryption technique discourages copying thereplaceable security module, as each replaceable security module willwork only with its mating decoder. The system also allows thereplaceable security module to be replaced following a system breach,thus allowing for recovery of system security.

The system comprises an encoder for encoding a signal, for encoderfurther comprising a signal scrambler and a first and second keyencrypters. The signal scrambler scrambles the signal and outputs ascrambled signal and a key for descrambling the scrambled signal. Thefirst key encryptor is coupled to the signal scrambler and performs afirst encryption on the key using a first secret serial number andoutputs a once-encrypted key. The second key encryptor is coupled to thefirst key encryptor and performs a further encryption on theonce-encrypted key using a second secret serial number and outputs atwice-encrypted key.

The system further comprises a transmitter coupled to the signalscrambler and the second key encryptor for transmitting the scrambledsignal and twice-encrypted key.

The system further comprises a decoder coupled to the transmitter forreceiving and descrambling the scrambled signal. The decoder comprisesfirst and second key decryptors and a descrambler. The first keydecryptor is coupled to the transmitter and performs a first keydecryption on the twice-encrypted key using the second secret serialnumber and outputs a partially decrypted key. The second key decryptoris coupled to the first key decryptor and perform a second keydecryption on the partially decrypted key using the first secret serialnumber and outputs the decrypted key. The descrambler is coupled to thesecond key decryptor and the transmitter and descrambles the scrambledsignal using the decrypted key and outputs the descrambled signal.

In an alternative embodiment of the present invention, the decoder mayfunction without the use of a replaceable security module. In the eventof a system breach or a service level change, a replaceable securitymodule may then be inserted into the decoder to “upgrade” the decoder.

These and other objects and advantages of the invention, as well as thedetails of an illustrative embodiment, will be more fully understoodfrom the following specification and drawings in which similar elementsin different figures are assigned the same last two digits to theirreference numeral (i.e., encoder 701 of FIG. 7 and encoder 801 of FIG.8).

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 shows an example of a prior art conditional-access system forsatellite transmission with a key signal sent in the clear to thedecoder.

FIG. 2 shows an example of a prior art conditional-access system forsatellite transmission using a single key encryption technique.

FIG. 3 shows an example of a prior art microprocessor without a securememory.

FIG. 4 shows a secure microprocessor with a secure memory and fusibledata links adapted for storing an algorithm and secret serial numberaccording to the present invention.

FIG. 5 shows an example of a conditional-access system for satellitetransmission with a replaceable security module containing a firstsecret serial number.

FIG. 6 shows another prior art conditional-access system for satellitetransmission using an additional layer of encryption.

FIG. 7 shows one exemplary embodiment of the conditional-access systemof the present invention with an encoder encrypting the key with both afirst and second secret serial number, a satellite transmission system,and a decoder containing a first secret serial number and a replaceablesecurity module containing a second secret serial number.

FIG. 8 shown another embodiment of the encryption system of the presentinvention including a multiplexor and demultiplexor for multiplexing thetwice encrypted key with the scrambled program signal prior totransmission, and demultiplexing the twice encrypted key from thescrambled program signal after reception.

FIG. 9 shows an alternative embodiment of the device of FIG. 7incorporating a telephone controller for bi-directional telephonecontrol for pay-per-view access or key transmission.

FIG. 10 shows a block diagram of an alternative embodiment of the deviceof FIG. 9, showing in detail how signals are passed between the decoderand the replaceable security module.

FIG. 11 shows another embodiment of the device of FIG. 10 with thetelephone controller, but without a replaceable security module.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENT

FIG. 7 shows the encryption system of the present invention comprisingan encoder 701 for encoding a source program 702 for transmission over asatellite link 705 to a decoder 706. According to FIG. 7, the key isencrypted and addressed to individual decoders, similar to the device inFIG. 5. However, in this case, the key is encrypted not once, but twiceand must also be decrypted twice in the decoder. The first decryptiontakes place in a replaceable security module 714 which is mounted on theexterior of the decoder 706, for example, as a plug-in module. Thesecond decryption takes place in a fixed security element 719 which isan integral part of the decoder 706. Both decryptions must take placeproperly for the decoder to receive the key.

The encoder 701 has a key memory 704 containing the key used to scrambleprogram 702 in program scrambler 703. The key is first encrypted infirst key encryptor 710 with a first secret serial number (SSN₀) storedin SSN₀ database 711. The key is further encrypted in second keyencryptor 715 with a second secret serial number (SSN₁) from SSN₁database 716. This produces a series of twice-encrypted keys which arethen transmitted along with the scrambled program via satellite link705. The decoder 706 receives the encrypted scrambled program and one ofthe twice-encrypted keys and performs a first key decryption inreplaceable security module 714. The replaceable security module 714contains a second secret serial number (SSN₁), which could be assignedto a particular security module or series of modules, in SSN₁ memory717. The replaceable security module 714 performs a first key decryptionin first key decryptor 718 and outputs a partially decrypted key. Thepartially decrypted key, still unreadable to a pirate, is sent to secondkey decryptor 713 located in decoder 706 itself. There, the key is fullydecrypted using the first secret serial number stored in SSN₀ memory712. The fully decrypted key is now stored in key memory 707 and used todescramble the scrambled program received from satellite link 705 inprogram descrambler 708 and output descrambled program 709.

Both replaceable security module 714 and an internal security element719 of decoder 706 may be constructed according to the principles ofFIG. 4. For example, the second secret serial number SSN₁ may be loadedinto SSN₁ memory 717 of Module 714 and fusible links used for loadingthe memory destroyed during manufacture. Similarly, SSN₀ memory 712 ofinternal security element 719 may be loaded during manufacture over afusible link and the link destroyed. Also over a fusible link,algorithms may be loaded into key decryptors 718, 713 during manufactureand the fusible links subsequently destroyed.

The effect of twice-encrypting the key is to ensure that replaceablesecurity module 714 must correspond to a particular decoder 706 and willnot operate with any other decoder. Loss of replaceable security module714 during distribution no longer presents a potential security breach.To compromise the system, it is now necessary to break the physicalsecurity of both replaceable security module 714 and internal securityelement 719. In order to fully compromise the system, the internalsecurity element 719 must be attacked, restoring the risk to thesubscriber that his decoder will be damaged.

At the same time, the replaceable security module provides the paytelevision provider with the option of replacing system security bymailing out new replaceable security modules to all authorizedsubscribers. Returned replaceable security modules 714 could be re-usedfor a different subscriber decoder by reprogramming the SSN₀ and SSN₁databases 711 and 716 to correspond to the combination of the firstsecret serial number of decoder 706 with the second secret serial numberof security module 714. Alternatively, the returned replaceable securitymodules 714 could be destroyed, and a new replaceable security module714 sent out, incorporating changes and improvements in the securitytechnology to thwart potential pirates. In the event of a securitybreach, it is only necessary to replace the replaceable security moduleand not the complete decoder in order to restore system security.

Alternatively, the decoder 706 may function optionally without the useof the replaceable security module 717. In such a system, encoder 701may be programmed to perform single level key encryption by encryptingthe key from key memory 704 once in second key encryptor 715, bypassingfirst key encryptor 710. Decoder 706 would sense the absence ofremovable security module 717 and perform only a single key decryptionin second key decryptor 713.

If a system breach occurs, the pay television provider then mails outreplaceable security modules to subscribers, uses the double encryptiontechnique, and thus recovers system security. The optional usage of thereplaceable security module has other attractive benefits as well.Subscribers who do not pay for any premium channels may not be sent areplaceable security module, as the “basic” channels may only use aonce-encrypted key or may even be sent in the clear. If the subscriberwishes to upgrade to a premium channel of channels, the pay televisionprovider may then mail that subscriber the appropriate replaceablesecurity module.

In addition, the replaceable security module may be used to add otheradditional features. Many cable television systems offer optionalservices such as IPPV (Impulse-Pay-Per-View) which require two-waycommunication between the decoder 706 and the head end. In the past, ifa subscriber wished to upgrade to IPPV service, a subscriber's decoderwould have to be altered by inserting a IPPV module internally or byadding an IPPV “side car” externally. Alternatively, the entire decoderwould have to be replaced. All three options would necessitate a servicecall, causing inconvenience to the subscriber, and expense to the paytelevision provider. Similarly, when a pay television provider wishes toupgrade its entire encoder/decoder system, it must provide a new decoderto each subscriber which will work in the interim with both the old andnew encoding techniques, as it is nearly impossible to replace allsubscriber decoders simultaneously. Then a decoder manufacturer is facedwith the added expense of providing his state-of-the-art decoder withextra circuitry in order to function with the pay television provider'sold encoder for the few months during the change over period.

In both the above instances, the replaceable security module 714 may beused to upgrade the decoder 706 without the expense and inconvenience ofa service call. The replaceable security module 714 may be mailed to thesubscriber and the subscriber can then insert the replaceable securitymodule 714 and instantly upgrade the decoder and add additional features(such as IPPV), alter the encoding technique, or providing an externallevel of security.

The replaceable security module 714 may take one of several forms. Inthe preferred embodiment, the module may comprise a “smart card”, aplastic “credit card” with a built-in micro-processor, such as describedby the International Standards Organization in standard ISO 7816/1 andISO7816/2. Attention is drawn on U.S. Pat. No. 4,841,133 issued Jun. 20,1989 and incorporated herein by reference, describing such a “smartcard.” The “smart card” may be equipped with a series of electricalcontacts which connect to contacts in the decoder 706. The contacts mayprovide power to the card, along with clock signals and datatransmission.

FIG. 8 shows another embodiment of the present invention wherein the keyis twice encrypted and addressed to individual decoders, similar to thedevice in FIG. 7. The encoder 801 has a key memory 804 containing thekey used to scramble program 802 in program scrambler 803. The key isfirst encrypted in first key encryptor 810 with the first secret serialnumber (SSN₀) stored in SSN₀ database 811. The key is further encryptedin second key encryptor 815 with a second secret serial number (SSN₁)from SSN₁ database 816, producing a series of twice-encrypted keys as inFIG. 7. However, in this embodiment, the twice encrypted keys are thenmultiplexed into the scrambled program in multiplexor 832 andtransmitted via satellite link 805.

The decoder 806 receives the encrypted program and demultiplexes thetwice encrypted keys from the scrambled program signal in demultiplexor833. The decoder 806 then chooses the proper twice encrypted key basedon the key message associated with the proper key for that decoder, andperforms a first key decryption in replaceable security module 814. Thepartially decrypted key is then sent to second key decryptor 813 locatedin the decoder 806 itself. There, the key is fully decrypted using theunique first secret serial number stored in SSN₀ memory 812. The fullydecrypted key is now stored in key memory 807 and used to decrypt theprogram in the program descrambler 808 and output the decrypted program809. The second key decryptor 813, key memory 807, and SSN₀ memory 812together comprise fixed internal security element 819.

FIG. 9 shows an alternate embodiment of the present invention with atelephone controller. Decoder 906 is similar to the decoder 706 of FIG.7, except that decoder 906 of FIG. 9 also includes a telephonecontroller 940 for receiving or sending an encrypted key or other data.Telephone controller 940 adds an additional level of security to thesystem, as the key does not have to be transmitted with the programsignal over a separate channel as in FIG. 7 or multiplexed into thesignal as in FIG. 8. In addition, the telephone controller 940 canprovide two-way communication with the program source for such featuresas pay-per-view (PPV) or impulse pay-per-view (IPPV) programming.

Pay-per-view programming is defined here as any programming where thesubscriber can request authorization to watch a particular program. Inmany pay television systems, pay-per-view programming is used forsporting events (boxing, wrestling, etc.) which are not transmitted on aregular basis. A subscriber wishing to view the event must receiveauthorization in the form of a special descrambler mechanism, or in theform of a special code transmitted or input to the subscriber's decoder.Some pay-per-view television systems allow the subscriber to request apay-per-view program (i.e. - movies) to watch. The pay televisionprovider then transmits the requested program and authorizes thatsubscriber's decoder to receive the signal.

Impulse pay-per-view (IPPV) programming is defined here as anyprogramming where the subscriber has a pre-authorized number of“credits” saved in his individual decoder. If a subscriber wishes toview a particular program, the subscriber merely actuates the decoder,the appropriate number of credits are subtracted from the subscriber'sremaining credits, and the subscriber is immediately able to view theprogram.

In a pay-per-view embodiment of the present invention, the decoder maysend a signal to the head end via the telephone controller 940 with arequest for authorization to decode a pay-per-view program. Alternately,the decoder 906 may store authorization information (i.e. -credits) forpay-per-view programming, and forward actual pay-per-view data via thetelephone controller 940 at a later time.

The telephone controller 940 could be a computer modem type device, orcould work using touch-tone signals to communicate with the head end.Preferably, the telephone controller is a modem type device,communicating with the head end using a TSK protocol. Attention is drawnto copending application Ser. No. 187,978 filed Apr. 29, 1989 describingTSK operation and incorporated herein by reference. The pay televisionprovider can thus send appropriate authorization information (TEL) tothe subscriber, encrypted with the subscriber's secret telephone number(STN). The secret telephone number is not a telephone number in theordinary sense, but rather another type of secret serial number, whichcould be assigned to a given telephone controller 940 or series oftelephone controllers. Once received by the decoder 906, theauthorization information may be used to enable descrambling of aparticular pay-per-view program or programs.

In another embodiment, which could be used in conjunction with thepay-per-view embodiment described above, the telephone controller can beused to receive the key encrypted with the secret telephone number. Thescrambled program signal 941 is input to the decoder 906 which providesthe input signal 941 to a clock/data recovery unit 942 and thevideo/audio descrambler 908. The clock/data recovery unit 942 providessync and data for the program signal fed to the fixed security element919. Fixed security element 919 contains a key decryptor, key memory andSSN₀ memory. The telephone controller 940 receives the key, encryptedwith the secret telephone number of the decoder (STN) stored in thereplaceable security module 914. The telephone controller 940 typicallycommences communication and can be programmed to call the head end at apredetermined time or at a predetermined time interval, or uponreceiving a signal from the head end preferably when phone usage is at aminimum (i.e. - early morning hours). The telephone controller can callthe head end via a toll free 1-800 number, a so-called “watts” line, orvia a local call to a commercial data link such as TYMNET of TELENET.Once the call is connected and communications established, the decoder906 uploads to the head end a record of pay-per-view usage encryptedwith the secret telephone STN₁. The head end may then download datasimilarly encrypted to the decoder 906 including new keys, secret serialnumbers, or decryption algorithms. The encrypted key may be sent to thefixed security element 919, which has removably attached thereto thereplaceable security module 914. The key is then decrypted in thereplaceable security module using the secret telephone number, anddecoder control information is sent to the program descrambler 908 toproduce the descrambled program 909.

As discussed above, a new secret serial number or decryption algorithm,encrypted with the secret telephone number, may be sent from the headend to a decoder through telephone controller 940. The encrypted secretserial number of decryption algorithm is then decrypted and stored inthe replaceable security module. The downloading of decryptionalgorithms and secret serial numbers via the telephone controller 940 issometimes called an “E² patch”, and allows the pay television providerto maintain or recover system security by loading new information into adecoder's EEPROM. An E² patch does not necessarily entail changing theentire decryption algorithm in the decoder 906. The secret serial numberor merely a portion of the decryption algorithm, such as a particularbyte or data table need only be changed in order to sufficiently alterthe decryption algorithm. The E² patch allows the pay televisionprovider or upgrade the encryption system to fix “bugs” and recoversystem security.

After receiving a signal through the telephone controller 940, the headend will send an acknowledment signal to the decoder, indicating thatinformation has been received. Similarly, after data has been downloadedfrom the head end to the decoder through the telephone controller, thedecoder will return an acknowledgement signal to the head end that datahas been received.

In addition to pay-per-view requests or records, telephone controller940 can also be used to upload other signals from the decoder. Forexample, tamper protection information such as described in connectionwith FIG. 4 can be sent indicating whether or not the decoder has beentampered with. Further, program viewing information can be uploaded tothe pay television provider for television rating purposes (i.e., -Nielson ratings)

In general, any data that can be delivered via the B-MAC input 941 ofFIG. 9 (or NTSC, PAL, SECAM, etc.) can also be downloaded through thetelephone controller 940. Such information includes, but is not limitedto, blackout codes, tiering information, personal messages number ofavailable credits, group identification numbers, and other system data.Generally, the telephone controller 940 is used for infrequentcommunications, such as periodic security level changes and IPPVrequests, due to the limited bandwidth of telephone lines and theincreased cost of sending information via telephone versus the B-MACinput.

The telephone information (TEL) encrypted with the secret telephonenumber (STN) remains encrypted throughout the decoder 906 and may onlybe decrypted in the replaceable security module 914. The decryptedtelephone information does not pass out of the replaceable securitymodule 914, in order to prevent observation by a pirate. In order forthe decoder 906 to descramble a scrambled program, both the telephoneinformation and the addressed data packet received through the B-MACinput 941 must be present. By relying on both information sources,piracy is virtually impossible, as the potential pirate must break intothe pay television provider's telephone system as well as decrypt thetwice-encrypted key.

FIG. 10 shows a more detailed diagram of the device of FIG. 9, showinghow the various signals are sent between the fixed security element 1019and the replaceable security module 1014. In this embodiment, both thefixed and replaceable security modules 1019 and 1014 are built aroundsecure microprocessors 1050 and 1051 similar to that shown in FIG. 4. InFIG. 10, the subscript “0” is used to denote signals and keys stored ordecrypted in the fixed security element 1019, while the subscript “1”denotes signals and keys stored or decrypted in the replaceable securitymodule 1014.

Fixed security element 1019 comprises a secure microprocessor 1050 whichreceives signals 1053, 1054, and 1055 as inputs. Signal 1053 is theprogram (SYS) which has been scrambled with a key-of-the-month (KOM) andis represented by the symbol E_(KOM1)(SYS). Signal 1054 is thekey-of-the-month (KOM) which has been twice-encrypted with the twosecret serial numbers (SSN₀ and SSN₁) of the fixed and replaceablesecurity modules 1019 and 1014, respectively and is represented by thesymbol E_(SSN0)(E_(SSN1)(KOM1)).

Signal 1055 is an additional signal, E_(STN1)(TEL), which is thetelephone data encrypted with a secret telephone number (STN) describedin FIG. 9 above. The telephone data can be used to provide an additionallevel of security, as well as to allow the subscriber to request“pay-per-view” programs via the phone line as described in FIG. 9 above.

Secure microprocessor 1050 performs a first decryption oftwice-encrypted key 1054 using the first secret serial number SSN₀stored within secure microprocessor 1050. Secure microprocessor 1050passes partially decrypted key-of-the-month E_(SSN1)(KOM) 1061 toreplaceable security module 1014 along with scrambled programE_(KOM1)(SYS) 1062 and encrypted telephone data E_(STN1)(TEL) 1060.

Replaceable security module 1014 comprises secure microprocessor 1051which has secure memory 1052 where the second secret serial number SSN₁is stored along with the secret telephone number STN₁, the encryptionalgorithm E, and other authorization information. Secure microprocessor1051 performs a further decryption on partially decryptedkey-of-the-month E_(SSN1)(KOM) 1061 received from fixed security element1019, using the second secret serial number SSN₁ and encryptionalgorithm E stored within secure memory 1052. The decryptedkey-of-the-month (KOM1) is stored in the secure memory 1052 of securemicroprocessor 1051. As discussed in FIG. 4, secure memory 1052 cannotbe directly addressed or read out, and as such the second secret serialnumber SSN₁ and the encryption algorithm E cannot be observed by apotential pirate.

Secure microprocessor 1051 also decrypts the telephone data (TEL) usingthe secret telephone number STN₁ stored within the secure memory 1052 ofthe secure microprocessor 1051. If the key-of-the-month (KOM1) can bedecrypted, and authorization is present (for pay-per-view), orunnecessary (for other channels), then scrambled program E_(KOM1)(SYS)1062 can be descrambled in replaceable security module 1014, producingdecoder control information DCI₁ 1058. Decoder control information DCI₁1058 typically contains the line translation scrambling information forthe video signal, and decryption information for the multiplexed audiodata along with other information such as whether teletext is enabledand which audio channel is to be selected. The program controlinformation DCI₁ 1058 and the encrypted telephone data E_(STN1)(TEL) aresent to the fixed security element 1019. If authorization is present(for IPPV) or unnecessary (for other channels), the securemicroprocessor 1050 outputs the program control data 1058 to the rest ofthe decoder (not shown) for program descrambling. On-screen displaysupport information (OSD) 1057 is decoded from the encrypted programsignal EKOM₁(SYS) E_(KOM1) (SYS) and provides information how on-screendisplay is controlled by fixed security element 1019 to display personalmessages, control a barker channel, indicate the number of remainingcredits, indicate authorized channels as well as other ways ofcontrolling displayed information.

FIG. 11 shows a further embodiment of the present invention, withoutreplaceable security module. In this embodiment, the subscript “0” hasbeen used to denote that all decryptions take place within securemicroprocessor 1150. Decoder 1106 comprises secure microprocessor 1150with secure memory 1152. Secure memory 1152 contains a secret serialnumber SSN₀ and a secret telephone number STN₀ unique to that decoder ora series of decoders loaded during manufacture and secured with an “E²bit” as discussed in connection with FIG. 4. Scrambled programE_(KOM0)(SYS) 1153 and once-encrypted key-of-the-month E_(SSN0)(KOM0)1154 are input to decoder 1106 along with encrypted telephone dataE_(STN0)(TEL) 1155.

Secure microprocessor 1150 decrypts encrypted telephone dataE_(STN0)(TEL) 1155 using the secret telephone number STN₀ stored insecure memory 1152. The decrypted telephone data (TEL) is also stored insecure memory 1152 to prevent observation by pirates. The telephone data(TEL) may provide authorization information to decode 1106 as to whetherdecoder 1106 is presently authorized to decrypt some or all of thereceived scrambled programs. In addition, other information may betransferred between the decoder and the head end as discussed inconnection with FIG. 9.

If authorization is present, secure microprocessor 1150 uses the firstsecret serial number SSN₀ stored in secure memory 1152 to decrypt thekey KOM₀. As in FIG. 10, the secure microprocessor 1150 then outputsprogram control information DCI₀ 1156 to the remainder of decoder 1106in order to descramble the program signal.

While the present invention has been disclosed with respect to apreferred embodiment and modifications thereto, further modificationswill be apparent to those of ordinary skill in the art within the scopeof the claims that follow. It is not intended that the invention belimited by the disclosure, but instead that its scope be determinedentirely by reference to the claims which follow herein below.

1. A security system for transmission of a signal comprising: encodermeans for encoding said signal, said encoder means comprising: signalscrambling means for scrambling signal and outputting a scrambled signaland a key for descrambling said scrambled signal; first key encryptormeans coupled to said signal scrambling means, for performing a firstencryption on said key using a first confidential serial number andoutputting a once-encrypted key, and second key encryptor means coupledto said first key encryptor means, for performing a further encryptionon said once once-encrypted key using a second confidential serialnumber and outputting a twice-encrypted key, transmission means coupledto said signal scrambling means and said second key encrypted means fortransmitting said scrambled signal and said twice-encrypted key, decodermeans coupled to said transmission means for receiving and descramblingsaid scrambled signal, said decoder means comprising: first keydecryptor means coupled to said transmission means, for performing afirst key decryption on said twice twice-encrypted key using said secondconfidential serial number and outputting a partially decrypted key, areplaceable security module, removably attached to said decoder meansand containing a second key decryptor means coupled to said first keydecryptor means, for performing a second key decryption on saidpartially decrypted key using a said first confidential serial numberand outputting a decrypted key, and signal descrambling means coupled tosaid second key decryptor means and said transmission means fordescrambling said scrambled signal using said twice-decrypted decryptedkey and outputting a descrambled signal.
 2. The security system of claim1, wherein said encoder means further comprises: key memory meanscoupled to said signal scrambling means and said first key encryptormeans for storing said key.
 3. The security system of claim 1, whereinsaid encoder means further comprises: a first confidential serial numberdatabase coupled to said first key encryptor means, containing a list offirst confidential serial numbers.
 4. The security system of claim 3,wherein said encoder means further comprises: a second confidentialserial number database coupled to said second key encryptor means,containing a list of second confidential serial numbers.
 5. The securitysystem of claim 1, wherein said decoder means further comprises: secondconfidential serial number memory means coupled to said first keydecryptor means, for storing a said second confidential serial number.6. The security system of claim 5, wherein said replaceable securitymodule contains said first confidential serial number memory means.
 7. Asecurity system for transmission of a signal comprising: encoder meansfor encoding said signal, said encoder means comprising: signalscrambling means for scrambling said signal and outputting a scrambledsignal and a key for descrambling said scrambled signal, first keyencryptor means coupled to said signal scrambling means, for performinga first encryption on said key using a first confidential serial numberand outputting a once-encrypted key, and second key encryptor meanscoupled to said first key encryptor means, for performing a furtherencryption on said once once-encrypted key using a second confidentialserial number and outputting a twice-encrypted key, transmission meanscoupled to said signal scrambling means and said second key encryptormeans for transmitting said scrambled signal and said twice-encryptedkey, decoder means coupled to said transmission means for receiving anddescrambling said scrambled signal, said decoder means comprising: areplaceable security module, removably attached to said decoder meansand containing a first key decryptor means coupled to said transmissionmeans, for performing a first key decryption on said twicetwice-encrypted key using said second confidential serial number andoutputting a partially decrypted key, a second key decryptor meanscoupled to said first key decryptor means, for performing a second keydecryption on said partially decrypted key using a said firstconfidential serial number and outputting a decrypted key, and signaldescrambling means coupled to said first second key decryptor means andsaid transmission means for descrambling said scrambled signal usingsaid twice-decrypted decrypted key and outputting a descrambled signal.8. The security system of claim 7, wherein said decoder means furthercomprises: first confidential serial number memory means coupled to saidsecond key decryptor means for storing a said first confidential serialnumber.
 9. The security system of claim 1, wherein said decoder meansfurther comprises: telephone interface means for transmitting andreceiving data to and from a pay television provider, said dataencrypted with a confidential telephone number.
 10. The security systemof claim 9, wherein an encrypted key is received via said telephoneinterface means.
 11. The security system of claim 1, wherein saidtransmission means further comprises: first transmission means fortransmitting said scrambled signal; and second transmission means fortransmitting said twice-encrypted key.
 12. The security system of claim1, wherein said signal is a television signal.
 13. The security systemof claim 11 12, wherein said television signal is a B-MAC typetelevision signal.
 14. The security system of claim 1, wherein saidencoder means further comprises: multiplexor means for multiplexing saidtwice-encrypted key with said scrambled signal prior to transmission.15. The security system of claim 14, wherein said decoder furthercomprises: demultiplexor means for demultiplexing said twice-encryptedkey from said scrambled signal.
 16. A decoder for receiving anddescrambling a signal which has been scrambled using a key which hasbeen subsequently twice-encrypted, said decoder comprising: first keydecryptor means for performing a first key decryption on said twicetwice-encrypted key using said a second confidential serial number andoutputting a partially decrypted key, a replaceable security module,removably attached to said decoder and containing a second key decryptormeans coupled to said first key decryptor means for performing a secondkey decryption on said partially decrypted key using a firstconfidential serial number and outputting a decrypted key, and signaldescrambling means coupled to said second key decryptor means fordescrambling said scrambled signal using said twice-decrypted decryptedkey and outputting a descrambled signal.
 17. The decoder of claim 16,further comprising: key memory means coupled to said signal descramblerdescrambling means and said second key decryptor means for storing saiddecrypted key.
 18. The decoder of claim 16, further comprising: secondconfidential serial number memory means coupled to said first keydecryptor means, for storing a said second confidential serial number.19. A decoder for receiving and descrambling a signal which has beenscrambled using a key which has been subsequently twice-encrypted, saiddecoder comprising: a replaceable security module, removably attached tosaid decoder and containing a first key decryptor means for performing afirst key decryption on said twice twice-encrypted key using said asecond confidential serial number and outputting a partially decryptedkey, second key decryptor means coupled to said first key decryptormeans for performing a second key decryption on said partially decryptedkey using a first confidential serial number and outputting a decryptedkey, and signal descrambling means coupled to said second key decryptormeans for descrambling said scrambled signal using said twice-decrypteddecrypted key and outputting a descrambled signal.
 20. The decoder ofclaim 16, further comprising: first confidential serial number memorymeans coupled to said second key decryptor means, for storing a saidfirst confidential serial number.
 21. The decoder of claim 20, whereinsaid replaceable security module contains said first confidential serialnumber memory means.
 22. The decoder of claim 16, wherein said signal isa television signal.
 23. The decoder of claim 16 further comprising:telephone interface means for transmitting and receiving data to andfrom a pay television provider, said data encrypted with a confidentialtelephone number.
 24. The decoder of claim 23, wherein saidtwice-encrypted key is received via said telephone interface means. 25.The decoder of claim 22, wherein said television signal is a B-MAC typetelevision signal.
 26. The decoder of claim 16, wherein said scrambledsignal and said twice-encrypted key have been multiplexed together priorto reception by the decoder.
 27. The decoder of claim 24 26, furthercomprising: demultiplexor means for demultiplexing said twice-encryptedkey from said scrambled signal.
 28. A method of transmitting a securesignal comprising the steps of: scrambling said signal using a key toproduce a scrambled signal, encrypting said key using a firstconfidential serial number to produce a once-encrypted key. key, furtherencrypting said once once-encrypted key using a second confidentialserial number to produce a twice-encrypted key, transmitting saidscrambled signal and said twice-encrypted key, receiving said scrambledsignal and said twice-encrypted key in a decoder, performing a firstdecryption of said twice-encrypted key using said second confidentialserial number to produce a partially decrypted key, performing a seconddecryption on said partially decrypted key in a replaceable securitymodule removably attached to said decoder using a said firstconfidential serial number to produce a decrypted key, descrambling saidscrambled signal using said decrypted key to produce a descrambledsignal, and outputting said descrambled signal.
 29. The method of claim28, wherein said second confidential serial number is assigned to saiddecoder.
 30. A method of transmitting a secure signal comprising thesteps of: scrambling said signal using a key to produce a scrambledsignal, encrypting said key using a first confidential serial number toproduce a once-encrypted key, further encrypting said onceonce-encrypted key using a second confidential serial number to producea twice-encrypted key, transmitting said scrambled signal and saidtwice-encrypted key, receiving said scrambled signal and saidtwice-encrypted key in a decoder, performing a first decryption of saidtwice-encrypted key in a replaceable security module removably attachedto said decoder using said second confidential serial number to producea partially decrypted key, performing a second decryption on saidpartially decrypted key using a said first confidential serial number toproduce a decrypted key, descrambling said scrambled signal using saiddecrypted key to produce a descrambled signal, and outputting saiddescrambled signal.
 31. The method of claim 30, wherein said secondconfidential security serial number is assigned to said replaceablesecurity module.
 32. The method of claim 28, wherein said firstconfidential security serial number is assigned to said replaceablesecurity module.
 33. The method of claim 28, wherein said transmittingstep further comprises: multiplexing said scrambled signal and saidtwice-encrypted key together prior to transmission.
 34. The method ofclaim 28, wherein said transmitting step further comprises: transmittingsaid scrambling scrambled signal and said twice-encrypted key asseparate signals.
 35. A method of decoding a signal comprising the stepsof: receiving a scrambled signal and a twice-encrypted key in a decoder,performing a first decryption of said twice-encrypted key using a secondconfidential serial number to produce a partially decrypted key,performing a second decryption on said partially decrypted key in areplaceable security module removably attached to said decoder using afirst confidential serial number to produce a decrypted key,descrambling said scrambled signal using said decrypted key to produce adescrambled signal, and outputting said descrambled signal.
 36. A methodof decoding a signal comprising the steps of: receiving a scrambledsignal and a twice-encrypted key in a decoder, performing a firstdecryption of said twice-encrypted key in a replaceable security moduleremovably attached to said securing using a second confidential serialnumber to produce a partially decrypted key, performing a seconddecryption on said partially decrypted key using a first confidentialserial number to produce a decrypted key, descrambling said scrambledsignal using said decrypted key to produce a descrambled signal, andoutputting said descrambled signal.
 37. The method of claim 36, whereinsaid first confidential serial number is assigned to said decoder. 38.The method of claim 36, wherein said second confidential serial numberis assigned to said replaceable security module.
 39. The method of claim35, wherein said second confidential serial number is assigned to saiddecoder.
 40. The method of claim 35, wherein said first confidentialserial number is assigned to said replaceable security module.
 41. Adecoder for receiving and descrambling a signal scrambled using atwice-encrypted key, said decoder comprising: connector means forconnecting said decoder to a replaceable security module, through whichconnector means said twice-encrypted key is transmitted to saidreplaceable security module and a partially-decrypted key is receivedfrom said replaceable security module, key decryptor means, coupled tosaid connector means for performing a decryption on saidpartially-decrypted key using a second confidential serial number, andoutputting a decrypted key, and signal descrambling means coupled tosaid key decryptor for descrambling said signal with said decrypted keyand outputting a descrambled signal.
 42. The decoder of claim 41,further comprising: key memory means coupled to said signal descramblingmeans and said key decryptor means for storing said decrypted key. 43.The decoder of claim 41, wherein said signal is a television signal. 44.The decoder of claim 41 43, wherein said television signal is a B-MACtype television signal.
 45. The decoder of claim 41, wherein saidscrambled signal and said twice-encrypted key signal have beenmultiplexed together prior to reception by the decoder.
 46. The decoderof claim 45, further comprising: demultiplexor means for demultiplexingsaid twice-encrypted key signal from said scrambled signal.
 47. Thedecoder of claim 41, further comprising: telephone interface means fortransmitting and receiving data to and from a pay television provider,said data encrypted with a confidential telephone number.
 48. Thedecoder of claim 47, wherein said twice-encrypted key is received viasaid telephone interface means.
 49. A decoder for receiving anddescrambling a signal scrambled using a twice-encrypted key, saiddecoder comprising: key decryptor means, for performing a first keydecryption on said twice-encrypted key using a first confidential serialnumber and outputting a partially decrypted key, connector means,coupled to said key decryptor means for connecting said decoder to areplaceable security module, through which connector means saidpartially decrypted key is transmitted to said replaceable securitymodule and a descrambling control signal is received from saidreplaceable security module, signal descrambling means, coupled to saidconnector means and receiving said descrambling control signal fordescrambling said signal and outputting a descrambled signal.
 50. Thedecoder of claim 49, wherein said signal is a television signal.
 51. Thedecoder of claim 49 50, wherein said television signal is a B-MAC typetelevision signal.
 52. The decoder of claim 49, wherein said scrambledsignal and said twice-encrypted key signal have been multiplexedtogether prior to reception by the decoder.
 53. The decoder of claim 52,further comprising: demultiplexor means for demultiplexing saidtwice-encrypted key signal from said scrambled signal.
 54. The decoderof claim 49 further comprising: telephone interface means fortransmitting and receiving data to and from a pay television provider,said data encrypted with a confidential telephone number.
 55. Thedecoder of claim 54, wherein said twice-encrypted key is received viasaid telephone interface means.
 56. A replaceable security module forstoring confidential serial number and performing a partial decryptionof a twice-encrypted key and outputting a partially decrypted key, saidreplaceable security module comprising; comprising: connector means forconnecting said replaceable security module to a decoder and throughwhich a said twice-encrypted key is received from said encoder decoderand a partially decrypted key is transmitted to said decoder, memorymeans for storing at least a said confidential serial number, anddecryption means, coupled to said connector means and said memory meansfor performing a partial decryption on said twice-encrypted key andoutputting a said partially-decrypted key.
 57. The replaceable securitymodule of claim 56, wherein said memory means further comprises:security means for allowing the contents of said memory means to be readonly by said decryption means.
 58. A replaceable security module forstoring a secret serial number and performing a decryption of apartially decrypted key and outputting a descrambling control signal,said replaceable security module comprising; comprising: connector meansfor connecting said replaceable security module to a decoder and throughwhich a said partially decrypted key is received from said encoderdecoder and said descrambling control signal is transmitted to saiddecoder, memory means for storing at least a said secret serial number,and decryption means, coupled to said connector means and said memorymeans for performing a decryption on said partially decrypted key andoutputting a descrambling control signal.
 59. The replaceable securitymodule of claim 58, wherein said memory means further comprises:security means for allowing the contents of said memory means to be readonly by said decryption means.